From 9ad6dfb3508bfcf658c0223adcf019840423782a Mon Sep 17 00:00:00 2001 From: Andrew Deason Date: Fri, 15 Jun 2012 16:58:42 -0500 Subject: [PATCH] viced: Restrict RXAFS_FlushCPS to administrators RXAFS_FlushCPS currently can be run by anyone, including unauthenticated users. Forcing CPS calculation can be a relatively resource-intensive operation, though, if done frequently enough, and only should need to be done by administrators. Thus, only let administrators use it. Reviewed-on: http://gerrit.openafs.org/7572 Tested-by: BuildBot Reviewed-by: Derrick Brashear (cherry picked from commit 568adf7d18eb17a42caa263aabc92a686f0ae121) Change-Id: I715e7ede7ea92be65a134116ecb4d1b7e2ccd264 Reviewed-on: http://gerrit.openafs.org/9485 Reviewed-by: Michael Meffie Reviewed-by: Derrick Brashear Reviewed-by: Stephan Wiesand Reviewed-by: Andrew Deason Tested-by: BuildBot --- src/viced/afsfileprocs.c | 6 ++++++ src/viced/viced.h | 1 + 2 files changed, 7 insertions(+) diff --git a/src/viced/afsfileprocs.c b/src/viced/afsfileprocs.c index 299864570..691a4ebda 100644 --- a/src/viced/afsfileprocs.c +++ b/src/viced/afsfileprocs.c @@ -6567,6 +6567,12 @@ SRXAFS_FlushCPS(struct rx_call * acall, struct ViceIds * vids, FS_LOCK; AFSCallStats.TotalCalls++; FS_UNLOCK; + + if (!viced_SuperUser(acall)) { + errorCode = EPERM; + goto Bad_FlushCPS; + } + nids = vids->ViceIds_len; /* # of users in here */ naddrs = addrs->IPAddrs_len; /* # of hosts in here */ if (nids < 0 || naddrs < 0) { diff --git a/src/viced/viced.h b/src/viced/viced.h index 09e2bf395..06b75a107 100644 --- a/src/viced/viced.h +++ b/src/viced/viced.h @@ -254,5 +254,6 @@ extern struct fs_state fs_state; #define FS_MODE_SHUTDOWN 1 #endif /* AFS_DEMAND_ATTACH_FS */ +extern int viced_SuperUser(struct rx_call *call); #endif /* _AFS_VICED_VICED_H */ -- 2.39.5